Overview

overview

9

Static

static

3

UnderWarWater.exe

windows7-x64

9

UnderWarWater.exe

windows10-2004-x64

9

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

4

UnderWarWater.exe

windows10-2004-x64

9

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...sar.js

ubuntu-18.04-amd64

3

resources/...sar.js

debian-9-armhf

4

resources/...sar.js

debian-9-mips

1

resources/...sar.js

debian-9-mipsel

1

resources/...sar.js

windows7-x64

3

resources/...sar.js

windows10-2004-x64

3

resources/...lfs.js

windows7-x64

3

resources/...lfs.js

windows10-2004-x64

3

resources/...isk.js

windows7-x64

3

resources/...isk.js

windows10-2004-x64

3

resources/...tem.js

windows7-x64

3

resources/...tem.js

windows10-2004-x64

3

resources/...ity.js

windows7-x64

3

resources/...ity.js

windows10-2004-x64

3

resources/...kle.js

windows7-x64

3

resources/...kle.js

windows10-2004-x64

3

resources/...lob.js

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UnderWarWater.exe

  • Size

    98.2MB

  • Sample

    250328-p5pqsawtgx

  • MD5

    85dc638e417e676b707288f017f2a97b

  • SHA1

    c0dfd9143e64572eadafc9ecf5d6e7f4ae4857c5

  • SHA256

    03f689a86fdef4d8692e7915f1513bd5bcefc23faaaf16e1189c748bf1a1ae5e

  • SHA512

    1a97d213e0ae76dcf519847e1c90254e788735553f93269cf7f62793673bd43c319987f820a05526205be9f5698cd866e79846b5365c7880e03e4fd7bac406ea

  • SSDEEP

    1572864:Q7aHmy0KrBxiZO/KHqpLN5K6dkePuqKQZaRrwLguql2ssjVo7EMUx4vdgrK18E:Q7KmiBIYJNE6jPu6ZaSTjjVURUx4vd0E

Score
9/10
antivmcredential_accessdiscoveryexecutionlinuxpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      UnderWarWater.exe

    • Size

      98.2MB

    • MD5

      85dc638e417e676b707288f017f2a97b

    • SHA1

      c0dfd9143e64572eadafc9ecf5d6e7f4ae4857c5

    • SHA256

      03f689a86fdef4d8692e7915f1513bd5bcefc23faaaf16e1189c748bf1a1ae5e

    • SHA512

      1a97d213e0ae76dcf519847e1c90254e788735553f93269cf7f62793673bd43c319987f820a05526205be9f5698cd866e79846b5365c7880e03e4fd7bac406ea

    • SSDEEP

      1572864:Q7aHmy0KrBxiZO/KHqpLN5K6dkePuqKQZaRrwLguql2ssjVo7EMUx4vdgrK18E:Q7KmiBIYJNE6jPu6ZaSTjjVURUx4vd0E

    Score
    9/10
    discoveryransomwarecredential_accessexecutionpersistencespywarestealer

    • Renames multiple (109) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/SpiderBanner.dll

    • Size

      9KB

    • MD5

      17309e33b596ba3a5693b4d3e85cf8d7

    • SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

    • SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    • SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    • SSDEEP

      192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      LICENSES.chromium.html

    • Size

      11.7MB

    • MD5

      45bc486db849cf8b8f0e38f34c8ff05b

    • SHA1

      f33015f0e3767e869e6e8f9ab73332fd865d77a1

    • SHA256

      13b6a0f7b308c57cbced247d9ebb8c63aa97e253bdf2f21f733ae71cf48163a5

    • SHA512

      eb2edfa0de7a84079967664039a3b2a51153d77b0d2b477e50399d75b8180690969cb6f799fd0fc480a8c4760cb206d1e8602a1b16f4c5fd4a144ccf204b673f

    • SSDEEP

      24576:y9dQc6poY6jbCjK6uwR6ETamf1jZ6ojK6QjZ6UjK6ajK64jK6cjZ6ijK6b6cjK6z:yMeGAyWPbX8me7

    Score
    4/10
    discovery
    behavioral10behavioral9

    • Target

      UnderWarWater.exe

    • Size

      191.1MB

    • MD5

      0981ac9a16925d20557adaba10f7661f

    • SHA1

      05dcb44df3077f876def54725828705e749b6556

    • SHA256

      062de01d3e6ff819efd3c536b9e91a64a7b1da3a7cbfa3cba8999b302324145a

    • SHA512

      f160772bb87ce908f461a196bdb376ac328473f74a4265c020545f477f26b1519cad6488c382ef87077a1f52a52ac6df5d0f3c5c6a6695edcc214125cc7091c4

    • SSDEEP

      1572864:IpnoNjghwW/8lxj9UNia0SUp6esGCA/Ys92JDSN01TCwaMWPwVdWeKtT4ZuBF/Ak:riryLxW

    Score
    9/10
    credential_accessdiscoveryexecutionpersistenceransomwarespywarestealer

    • Renames multiple (109) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery
    behavioral11

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      a7b7470c347f84365ffe1b2072b4f95c

    • SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

    • SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    • SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • SSDEEP

      49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc

    Score
    1/10
    behavioral12

    • Target

      ffmpeg.dll

    • Size

      2.9MB

    • MD5

      929482816404b0cef4164477c6235198

    • SHA1

      ff92ad7fcc5c7ea427314f225bdd7aba16bb04ed

    • SHA256

      8e0a71294245c97616a15238974c54ce372b407c042b935904765c915cd003ee

    • SHA512

      5dd326d5943309f2606b329c8068e14aa7f1872f664eaae9a0937952e21d7a5ecc6ce21ea33a6e91a1e0840489261296210e83724a2f97051e19e4982acaad81

    • SSDEEP

      49152:SJcctgGDcyjVMLp2GDv6ZHIY1LYa12wL5tRGBnlqbAuHYUftjdljoyLFc6eFLkU8:S/+mI7Dv2HIY1LoqbAuHYUftjdljoyLp

    Score
    1/10
    behavioral13

    • Target

      libEGL.dll

    • Size

      481KB

    • MD5

      9e12dcfefc212baaccdc3498ab81b66a

    • SHA1

      f33c05f4f120239df176a7bb667a0e00a2baba64

    • SHA256

      e57d447cbef2afaab8a901e67204de837bf4bce998c06c87c1f68033afd37744

    • SHA512

      45a152c5fd896dcbfcaae72ad6e9a48402f5f5b5dbe5497b98f009b9654d81bd4f4c68a9667e04db9f712cd95954538c35a76b765e042856c37a716bf739f5b8

    • SSDEEP

      6144:EGRDfOcVCmVzOZAprcPYL1IhVzlK3sBfAPPMotBR+CfqOvNBY7p3pq88qD35:EGRzOla021eVzlKcqMUR+CfqO16VEc

    Score
    1/10
    behavioral14

    • Target

      libGLESv2.dll

    • Size

      7.7MB

    • MD5

      e2abd4d977f12dfeec34439b79794c8e

    • SHA1

      126fa77cf857e3fb3384e232ca1fa44ddcd704f2

    • SHA256

      bcafc569fe806aa2b282c600a2ebf0984c2c7c9fd361131171788e171a3b0dad

    • SHA512

      476aef839c48ff84f2eafbaf05b242bc12d779ac525f4189e0ef47fb4a1705c1cad2b63db61d8833dda2d1fcdcc9ab89ecf15bf6b16b5b1de42c7d49e31595c8

    • SSDEEP

      98304:OtTad6d8JCdoc7PjWstHFOHuMRA4Z0lxVXbi1A6WXMlEvN/:bd6d8q1HFpM+FboEd

    Score
    1/10
    behavioral15

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/bin/asar.js

    • Size

      2KB

    • MD5

      de4f7c99e69f227ec5a46fdb37aa7dc1

    • SHA1

      fb19724979d6ae1310ab159ba12341ebdcb1de2d

    • SHA256

      18dda5a64bd7036cb8c28cfb827020ef0c8d2b6dd8b7a97caabed58f114eb308

    • SHA512

      487103971f66dbea00776b2f7e8f8275473e4d09ebc9aac6bfd577f7e5cc1e8052d5dd4d5b9b0bfdb803b1875d1bb78e7000266ed1b34af699721238bdcb01a1

    Score
    4/10
    discoveryantivm
    behavioral16behavioral17behavioral18behavioral19

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/asar.js

    • Size

      10KB

    • MD5

      e3e921232437ce3d78be2093a5365e44

    • SHA1

      e8c1e608dba56771999480691865160691a8d3ca

    • SHA256

      c8160a6406a728092bb739982662d55f922ab3b56feff18bc8221f220f18651f

    • SHA512

      fdfa3c293264392ad2049910c5ccf75b373ec12253640cb59eddd22aa8d09042ffad647469aaa9471ca7acf40edd9b98b4ba7551d4e5c7a0b5c305310072d7a1

    • SSDEEP

      192:0xk9D7vW88t5Vul/Mbq2cWovNlyJyLy1RTpo4fzil6+s9MDtdaTYpUDIG6QyNg+G:0xmUmVvv/6MuEGlIBDIv

    Score
    3/10
    execution
    behavioral20behavioral21

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/crawlfs.js

    • Size

      3KB

    • MD5

      2d3a0ba798a48fda4c25ac3e3652ae0d

    • SHA1

      469ae49f57eb70d4e50c3b3674878b3298c205a9

    • SHA256

      d12dc17a359baebd2f35a7057e1af4dbc15779a478aa6a767afee77027f2aa5e

    • SHA512

      8f0aa16f97d99d89e6773e8d37c51b0d240461f17b299cc099de85aeffb37f38098f1b1c3b462fb8f003ebc16bd08305cf4d873e6a95a23e93e11c5fd8898025

    Score
    3/10
    execution
    behavioral22behavioral23

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/disk.js

    • Size

      7KB

    • MD5

      236b8c623f4a2400f88340b05ab24415

    • SHA1

      cd6a2bebb537c4493f1b194e11e9ec84b7ed4db6

    • SHA256

      9fd9ed99c94921aeace5a7505943bc7c9aa981351c66201d8f57eaae1a1a0a45

    • SHA512

      e6acd976eee7b53b1c8681f3d436826a841e3165899c423acdfe514195fe250a48c2e5a80c6df1760b78b204cf6198ce409a97c94bc1481d3e4dd1aa2b4faa88

    • SSDEEP

      192:0xk9D7vW88ECDEBenBrxaoFLk4iNSWNqFkQBlYjw+Rhkai+aY6+34eQ4HQzeAeqI:0xms7tceLkjSWNqB+RpD7

    Score
    3/10
    execution
    behavioral24behavioral25

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/filesystem.js

    • Size

      7KB

    • MD5

      59df24881e2d09553cc5c3ecc024508d

    • SHA1

      438828ca559ac49e2a65f015ee8e9cc038d077fa

    • SHA256

      d9bf24f17b1c812ac859ab67bc1912be3e1dd555459d1e3ab6f1d138ce8ccf88

    • SHA512

      6b24680167e45d80624af88b47751676219e33b04e01868f269769392a8f963dc590dc4fe494860bb8d5cee882ca5ae9480f704d786e66a6c901bf433e9b0d30

    • SSDEEP

      192:0xk9D7vW88DJi3BzyCgUCyzn47xcM1cxGGm61//+Btb2BnZ+UkMgnO+vYNwCaXnp:0xmeXVHGH68Zknaop

    Score
    3/10
    execution
    behavioral26behavioral27

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/integrity.js

    • Size

      2KB

    • MD5

      b9ff6dbc60cf7504826b3d9ce19508ef

    • SHA1

      83382a8abd9fcffde366154ec29ae3330b4f786d

    • SHA256

      5ba9815a6fb3f7263ff52cf8ce72c74701f4446f1f51d34c8896231abadc8363

    • SHA512

      ed570f390535e1c7d7f7127e79419079da39ffa1c3c5b5c041120fa4fa800e3281712dce0e71d9cbcf5825fe8012d585b6bd5fd016b6edbaa7abba10f9357ce8

    Score
    3/10
    execution
    behavioral28behavioral29

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/pickle.js

    • Size

      6KB

    • MD5

      7bc50c35828855efff7a4dc62f3e927b

    • SHA1

      d094d8fe73cbc107687b0a8f9e8ca7ab2b5c751e

    • SHA256

      771c59cf05e42ee55f5bf03cbabc84f86fd623dee1bd725f0602812637fa0867

    • SHA512

      7c4eeb628bd5c07db16c1f9c3e2612ce345334b5a15040ea95fca69e594c820b1b846ad838df10380d36a7665e4f6abd1ec17450660c7542c02fdef73622d27c

    • SSDEEP

      192:KYEXflQSCQlWQl8QzaQgIQ46QZwQdpMQ04biaTxN8G8nYxf28MTeaNO9H2Xk/hEn:0/fXjK8T5pDNqqO9jNO9H2dBT1x

    Score
    3/10
    execution
    behavioral30behavioral31

    • Target

      resources/app.asar.unpacked/node_modules/@electron/asar/lib/types/glob.js

    • Size

      109B

    • MD5

      040e8ba3984b0170e70c8275ad2af930

    • SHA1

      0d35a68a7519965f31199423f3fbf16f7f043e1d

    • SHA256

      a50816de032869a71c32f03df1ad6d5b955c69a452f8ec91980061f974a08854

    • SHA512

      56935bc8fa969ddb4040a397347d1b39647fd4d36bc8248c925ad1e563d96278679ac8064de60c0ccbd41ee1734604635e6babd6a82e421322517ab36f629ff9

    Score
    3/10
    execution
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discoveryransomware
Score
9/10

behavioral2

credential_accessdiscoveryexecutionpersistenceransomwarespywarestealer
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
4/10

behavioral11

credential_accessdiscoveryexecutionpersistenceransomwarespywarestealer
Score
9/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

antivmdiscovery
Score
4/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

execution
Score
3/10

behavioral21

execution
Score
3/10

behavioral22

execution
Score
3/10

behavioral23

execution
Score
3/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

execution
Score
3/10

behavioral30

execution
Score
3/10

behavioral31

execution
Score
3/10

behavioral32

execution
Score
3/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.